Episode 5 - NIST SP 800-61 Computer Security Incident Handling Guide (Post-Incident Activity)
06/12/24 • 33 min
This is the biggest episode from a content perspective so far. I'm excited to share it with you.
Episode Highlights:
- How to run post-incident debriefs and post-mortems.
- Involving external teams
- Using lessons learned to form actionable insights.
- Key questions to address in incident analysis.
- Effective report writing strategies, including timelines and executive summaries.
- Evaluating and improving incident response procedures and tools preparation.
- Engaging broader teams in the debrief process for better cooperation.
- Tracking and documenting incident response efforts for continuous improvement.
Key Takeaways:
- Post-incident debriefs and post-mortems afford the most value for learning, improving incident response and preventing reoccurance.
- Using structured frameworks and guidelines, like NIST 800-61, provide valuable direction for how to run your debrief and post-mortem meeting.
- Effective communication, documentation, and cooperation across teams enhance incident handling and future preparedness.
This is the biggest episode from a content perspective so far. I'm excited to share it with you.
Episode Highlights:
- How to run post-incident debriefs and post-mortems.
- Involving external teams
- Using lessons learned to form actionable insights.
- Key questions to address in incident analysis.
- Effective report writing strategies, including timelines and executive summaries.
- Evaluating and improving incident response procedures and tools preparation.
- Engaging broader teams in the debrief process for better cooperation.
- Tracking and documenting incident response efforts for continuous improvement.
Key Takeaways:
- Post-incident debriefs and post-mortems afford the most value for learning, improving incident response and preventing reoccurance.
- Using structured frameworks and guidelines, like NIST 800-61, provide valuable direction for how to run your debrief and post-mortem meeting.
- Effective communication, documentation, and cooperation across teams enhance incident handling and future preparedness.
Previous Episode
Episode 4 - NIST SP 800-61 Computer Security Incident Handling Guide (Containment,Eradication and Recovery)
Show Notes: Episode on Containment, Eradication, and Recovery
In this episode of Traffic Light Protocol, Clint Marsden explores the containment, eradication, and recovery phases of the NIST SP 800-61 framework for computer security incident handling.
Key Topics Covered:
- Containment Strategies: Choosing appropriate containment methods based on the incident type, potential damage, service availability, and evidence preservation. Examples include power disconnection and network isolation.
- Real-World Example: Clint shares an incident response case where premature action against attackers led to a total domain takeover.
- Evidence Gathering and Handling: The use of tools like write blockers to preserve evidence integrity.
- Threat Analysis: Highlights passive techniques for analysing threats without alerting attackers, such as remote log analysis and OPSEC to track attackers
- Restoration and Recovery: Covers steps to restore systems to normal operations, including vulnerability patching, backup restoration, and password resets.
- Future Considerations: Suggests engaging with external vendors for comprehensive incident response and utilizing threat intelligence platforms.
Join Clint Marsden as he guides you through the intricacies of incident response, helping you enhance your digital forensics skills. Follow Clint Marsden on LinkedIn (https://www.linkedin.com/in/clintmarsden/) and TLP on Linked In https://www.linkedin.com/company/traffic-light-protocol-the-digital-forensics-podcast-tlp for more updates and insights.
Next Episode
Episode 6 - Responding to ransomware - is your VPN a target? Plus ransomware risk mitigation with Phil Ngo
In this episode, we speak with Phil Ngo, a Primary Investigator in Accenture's global cyber response team.
As a primary investigator, he is responsible for helping clients recover from major incidents as well as delivering proactive cyber services, such as threat hunting and tabletop exercises. Philip started his career as a high school teacher, before moving into IT support and eventually into cyber security six years ago. Philip has a worked across multiple industries and through his experience, has built up a solid cyber forensics and response skillset.
Get some tactical assistance with Phil's real life high-pressure incident experience. In this episode we cover:
Challenges in Digital Forensics:
Obstacles in digital forensics and incident response - working people and systems
Frequent vulnerabilities exploited in breaches
The potential impact of AI on digital forensics and incident response
Essential qualities and resources for aspiring cybersecurity professionals
Connect with Phil on LinkedIn here:
https://www.linkedin.com/in/phil-ngo1337/
Youtube channels for additional learning:
13 Cubed www.youtube.com/@13Cubed
Network Chuck: http://www.youtube.com/@NetworkChuck
http://www.youtube.com/@SANSForensics
If you like this episode you’ll love
Episode Comments
Generate a badge
Get a badge for your website that links back to this episode
<a href="https://goodpods.com/podcasts/tlp-the-digital-forensics-podcast-499070/episode-5-nist-sp-800-61-computer-security-incident-handling-guide-pos-65954506"> <img src="https://storage.googleapis.com/goodpods-images-bucket/badges/generic-badge-1.svg" alt="listen to episode 5 - nist sp 800-61 computer security incident handling guide (post-incident activity) on goodpods" style="width: 225px" /> </a>
Copy